Friday

Saturday

Sunday

What if your vendor is hacked?

http://www.lothie.com/" style="red">Mary Ursula Herrmann is a Network Security Analyst living in Juneau, AK. She has worked in Information Security for over 15 years, and obtained her CISSP in 2005.

As you may have read in the news, security firm Bit9 was hacked recently. It turns out that they didn’t install their own software on some of their computers, and the hackers stole a code-signing certificate and subsequently hacked some of the company’s clients, using the certificate to sign their own malware. Since Bit9’s solution relies solely on whitelisting, there wasn’t any way to prevent the malware from running at the clients’ sites.
Whitelisting means, in this case, that anything that was signed by Bit9’s certificate, or anything else on the list, was considered to be “good”. Whitelisting is normally considered to be better than blacklisting, where anything listed is considered to be “bad”, because it is by nature more restrictive; if you’re not on the list, you can’t “get in”. But how many times have you seen some hotshot character in a TV show or movie social-engineer his way past a bouncer’s “whitelist” at a bar or event? Ferris Bueller convinced the maitre d’ at Chez Quis that he is “Abe Froman, the Sausage King of Chicago”; the Bit9 hackers convinced Bit9’s clients’ computers that they installing legitimate software in a technical version of the same gambit.
So in other words, whitelisting isn’t foolproof either, especially when the fool in question is the security vendor you’re trusting to help keep your data secure. Bit9 was not following their own procedures for network security, leading to their customers being adversely affected. The problem has now been fixed, and the certificate in question revoked, but can Bit9 or their customers really be sure of the damage that was done?
It wasn’t all that long ago that the same thing happened to Adobe: their systems were hacked into and a signing certificate was stolen. The incident was swept under the rug after the certificate was revoked, and everyone assumes that as long as you’ve updated your software and trusted certs you should be fine...but that, along with the assumptions that the two utilities that were discovered by Adobe to have been signed with the affected certificate were the only ones, and that they can’t do any harm since the revocation, may not actually be the case. It’s just that nobody can actually do anything about it if it’s not.
So what can you do if your security vendor is hacked? The answer is that you need to have a contingency plan that covers this eventuality, and you need to be very vigilant about what (and who) is on your network.

MORNING ROUNDUP

Business headlines from Crain's Cleveland Business and other Ohio newspapers — delivered FREE to your inbox every morning. Sign up for the Morning Newsletter.